Chinese army hackers return from vacation, renew attacks on US

Being outed, public "shaming" by White House only yielded pause in hacks.

After being publicly exposed in February as the source of a long list of cyberattacks on US companies and media organizations, the Chinese People's Liberation Army's (PLA) Unit 61396 largely pulled back from the networks the unit had infiltrated. But now, the New York Times reports, the hackers are back in action using new techniques to go after many of the same corporate and government targets they had infiltrated before.

The revived attacks come despite (or perhaps because of) the direct accusations leveled against China's military in a Pentagon report to Congress earlier this month. The White House approved "naming and shaming" the PLA unit in hopes that it would cause the Chinese government to take action. The move was part of an escalation of diplomatic pressure that began in March, when White House National Security Advisor Tom Donilon first publicly mentioned the Obama Administration's appeal to the Chinese government to "engage with us in a constructive dialogue" on cyber security.

"In 2012, numerous computer systems around the world, including those owned by the US government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military," the Pentagon report stated. "These intrusions were focused on exfiltrating information. China is using its computer network exploitation (CNE) capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support US national defense programs."

Cybersecurity firm Mandiant—the firm that assisted the Times in handling its own infiltration by Unit 61396—reports that the PLA's hackers are back in action, using new tools and command-and-control network. Mandiant also reported that Chinese hackers are now back at about 60 to 70 percent of previous activity levels.

33 Reader Comments

I would imagine that the "constructive dialogue" that was requested broke down due to the use of the same tactics on both sides. I imagine we'll need something akin to SALT to really bring this into line with more conventional weapons.

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

One generally looks at the routing of said information. Sure, initially the tracks might have been obfuscated but with a bit of tenacity and talent, originating IP address/ranges can be resolved. When the resolving IP range indicates a block of Chinese addresses, it's probably China.

I would imagine that the "constructive dialogue" that was requested broke down due to the use of the same tactics on both sides. I imagine we'll need something akin to SALT to really bring this into line with more conventional weapons.

Strategic talks won't matter, this is all covert operations. The real problem is the fact that the USA basically handed its own nuts to China and said "go ahead and hold these" by allowing all of our manufacturing capacity to be moved there. Now we're in no position to make any demands at all from China. Even if the USA can have all of the manufacturing capacity restored back to the domestic territory we'll still have made the massive mistake of bringing China's technological abilities in line with our own.

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

One generally looks at the routing of said information. Sure, initially the tracks might have been obfuscated but with a bit of tenacity and talent, originating IP address/ranges can be resolved. When the resolving IP range indicates a block of Chinese addresses, it's probably China.

I assume the USA's cyber attacks are at least as well obfuscated, perhaps better because I haven't heard many complaints from China.

I guess my issue is the number quoted by the IT company, the cynic in me assumes it's inflated, and I don't have the ability to cross check it.

I would imagine that the "constructive dialogue" that was requested broke down due to the use of the same tactics on both sides. I imagine we'll need something akin to SALT to really bring this into line with more conventional weapons.

Strategic talks won't matter, this is all covert operations. The real problem is the fact that the USA basically handed its own nuts to China and said "go ahead and hold these" by allowing all of our manufacturing capacity to be moved there. Now we're in no position to make any demands at all from China. Even if the USA can have all of the manufacturing capacity restored back to the domestic territory we'll still have made the massive mistake of bringing China's technological abilities in line with our own.

China should have been nuked from orbit half a century ago.

Seriously? I didn't think people like you frequented Ars.

Right, because a movie quote used to equate China with a very dangerous, overpowering, and corporately coveted power makes me a monster.

Get over yourself, all of you nutcases that really think movie quotes have any significant meaning.

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

If only we could get Mandiant to publish their evidence, and then get some well known websites to write several articles about the report. If only. But who am I kidding, we all know no one would read any of it.

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

If only we could get Mandiant to publish their evidence, and then get some well known websites to write several articles about the report. If only. But who am I kidding, we all know no one would read any of it.

Reading and researching is too hard, its not like there's a easily accessible electronic communication network that put vast reams of information at my finger tips, and even if there was you can't expect me to actually expend effort, .... I mean, ... I'm an adult of voting age, Why would you expect me to be capable of being self informed?

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

One generally looks at the routing of said information. Sure, initially the tracks might have been obfuscated but with a bit of tenacity and talent, originating IP address/ranges can be resolved. When the resolving IP range indicates a block of Chinese addresses, it's probably China.

Or it's someone who set up a serer inside of china they are routing their traffic through. Hardly conclusive evidence.

Yes, our regularly scheduled government leak to remind us that China is scary. We get one of these every few weeks. If you read the original NY Times report, and take out all the rehashed old news, there's actually nothing much to it at all. The NY Times is using their usual anonymous sources and security industry people drumming up business for their consulting companies.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

I suppose the upside to the PLA's cybertheft, if you want to call it an upside, is that their constant probing of networks worldwide provides an incentive to keep security measures up-to-date. Although, those updates are likely to happen after the loss of information, which is regrettable, but unavoidable in our reactionary world.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

We have one. It doesn't raid corporations for intel to turn over to US businesses.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

I suppose the upside to the PLA's cybertheft, if you want to call it an upside, is that their constant probing of networks worldwide provides an incentive to keep security measures up-to-date. Although, those updates are likely to happen after the loss of information, which is regrettable, but unavoidable in our reactionary world.

The less you know that they exist, the more effective they are. If we know, they are penetrating our network, they are not effective. If, they do not know, we are penetrating their network, we are effective.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

I suppose the upside to the PLA's cybertheft, if you want to call it an upside, is that their constant probing of networks worldwide provides an incentive to keep security measures up-to-date. Although, those updates are likely to happen after the loss of information, which is regrettable, but unavoidable in our reactionary world.

The less you know that they exist, the more effective they are. If we know, they are penetrating our network, they are not effective. If, they do not know, we are penetrating their network, we are effective.

Chinese hackers bite the big pickle.

There are lots of Chinese, ... Just because you know of a few its unlikely you know them all.

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

If only we could get Mandiant to publish their evidence, and then get some well known websites to write several articles about the report. If only. But who am I kidding, we all know no one would read any of it.

I have a sneaking suspicion the US has already shoved some software onto these Chinese systems. From what I've read, what they lack in hacking finesse is made up for by persistence.

If they don't stop, they are probably going to get their knuckles whacked. Hard.

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

One generally looks at the routing of said information. Sure, initially the tracks might have been obfuscated but with a bit of tenacity and talent, originating IP address/ranges can be resolved. When the resolving IP range indicates a block of Chinese addresses, it's probably China.

Or it's someone who set up a serer inside of china they are routing their traffic through. Hardly conclusive evidence.

This isn't a single instance of cyber-espionage, nor is it a carefully crafted attack using a single vector. It is, quite literally, an unending torrent of unfocused probing of virtually all US IP blocks along with slightly smaller focused attacks on certain higher-priority targets such as US media companies and the Department of Defense. Get some software that monitors incoming connection attempts on your personal PC, and you'll be surprised at just how many Chinese IPs are pinging you. What's more is that there is hardly any effort to obfuscate these attacks. It's akin to a thief attempting to break into and rob every house in your neighborhood every week while leaving their calling card letting you know who did it and that they'll be back without fail.

The reason that China does this is that there is very little the US can do to stop it. We obviously don't want to go to war over this, and any kind of economic sanctions on China would cripple the US economy as well, given that much of our manufacturing is based in China.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

We have one. It doesn't raid corporations for intel to turn over to US businesses.

Apparently the US had one before China did and the creation of the US's cyber command prompted China to create one as a "defensive" measure. I don't know if PLA Unit 61396 is what China was referencing at the time though because they've also targeted corporations---which is not to say that the US isn't targeting Chinese corporations that are part of China's military-industrial complex or economic base.

[quote="[url=http://arstechnica.com/civis/viewtopic.php?p=24521261#p24521261]China should have been nuked from orbit half a century ago.

Um, let's kill a billion people already. Have you had breakfast yet? There's a lot of ranting and frothing in your diary today.

It's the only way to be sure.

So your grandiose solution to the problem that the US is losing attraction towards various industries is annihilating another race with weapons of mass destruction? Have you just woke up from the 1950s?

"I can't be a better boyfriend than John, but I sure as hell can put a bullet in him!"

How do they measure these things? How do they know it's China? Who's to say it's not Bhutan or Palau?

Articles about IT espionage always make me question the PR to fact ratio.

One generally looks at the routing of said information. Sure, initially the tracks might have been obfuscated but with a bit of tenacity and talent, originating IP address/ranges can be resolved. When the resolving IP range indicates a block of Chinese addresses, it's probably China.

Or it's someone who set up a serer inside of china they are routing their traffic through. Hardly conclusive evidence.

This isn't a single instance of cyber-espionage, nor is it a carefully crafted attack using a single vector. It is, quite literally, an unending torrent of unfocused probing of virtually all US IP blocks along with slightly smaller focused attacks on certain higher-priority targets such as US media companies and the Department of Defense. Get some software that monitors incoming connection attempts on your personal PC, and you'll be surprised at just how many Chinese IPs are pinging you. What's more is that there is hardly any effort to obfuscate these attacks. It's akin to a thief attempting to break into and rob every house in your neighborhood every week while leaving their calling card letting you know who did it and that they'll be back without fail.

The reason that China does this is that there is very little the US can do to stop it. We obviously don't want to go to war over this, and any kind of economic sanctions on China would cripple the US economy as well, given that much of our manufacturing is based in China.

I noticed the same crap on my server. I was getting literally hundreds of login attempts per minute all day every day until I got around to installing fail2ban. But that really only covered forwarded ports. One of these days I need to get a router with more advanced capabilities (included one from Verizon kind of sucks) so I can monitor what is going on across the network.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

I'm sure the US has the chops to go head to head PLA 61396. But what's the point? Was there some cool auto tech that China has that we need? Maybe some military tech we're lacking? Or medical? Or maybe their entertainment industry is really appealing to us? Or maybe all the factories we built there organically innovated tons of new manufacturing technologies that we need? I'm not seeing much in their construction regime that we haven't figured out?

So, while there IS some interesting stuff to spy on, I'm sure, the sheer imbalance of intellectual property, makes it kind of a moot point. I'm pretty sure the Chinese ethos doesn't really get/care why the US populace finds the mass-scale rip off offensive. They white washed all of that morality enforcing stuff (religion) from their society 2 generations ago. It is simply just a matter of survival to them.

If the US can't shame the PLA into stopping, then I hope the US at least has a cyber division comparable in scale and effectiveness if not exposure (a cyber-security "arms race" if you will). I assume that it does except we don't hear about it very often (e.g., Stuxnet).

I'm sure the US has the chops to go head to head PLA 61396. But what's the point? Was there some cool auto tech that China has that we need? Maybe some military tech we're lacking? Or medical? Or maybe their entertainment industry is really appealing to us? Or maybe all the factories we built there organically innovated tons of new manufacturing technologies that we need? I'm not seeing much in their construction regime that we haven't figured out?

So, while there IS some interesting stuff to spy on, I'm sure, the sheer imbalance of intellectual property, makes it kind of a moot point. I'm pretty sure the Chinese ethos doesn't really get/care why the US populace finds the mass-scale rip off offensive. They white washed all of that morality enforcing stuff (religion) from their society 2 generations ago. It is simply just a matter of survival to them.

I think it'd be less about stealing intellectual property for the US to copy and more about knowing the capabilities of a potential enemy (who is currently just a sparring partner). Realistically, the Chinese and American economies are too intertwined for any serious warmongering, but in the interest of maintaining defensive capabilities for the types of threats that are or may be out there, probing PLA and associated manufacturing industries for information would be a reasonable mission for US Cyber Command.

Even if China hasn't devised some newfangled piece of military/medical/manufacturing technology, it behooves the US to investigate where it can to see whether or not China has done so.

On a related note, there's an interesting PopSci article on China's emerging military here. As that article notes, it's probably more advantageous for China to develop its own technologies rather than rival the arsenal of the US tit-for-tat. Those technologies are what should interest US Cyber Command.

I think it'd be less about stealing intellectual property for the US to copy and more about knowing the capabilities of a potential enemy (who is currently just a sparring partner). Realistically, the Chinese and American economies are too intertwined for any serious warmongering, but in the interest of maintaining defensive capabilities for the types of threats that are or may be out there, probing PLA and associated manufacturing industries for information would be a reasonable mission for US Cyber Command.

Even if China hasn't devised some newfangled piece of military/medical/manufacturintechnology, it behooves the US to investigate where it can to see whether or not China has done so.

On a related note, there's an interesting PopSci article on China's emerging military here. As that article notes, it's probably more advantageous for China to develop its own technologies rather than rival the arsenal of the US tit-for-tat. Those technologies are what should interest US Cyber Command.

Before both WW1 and WW2 Franch and Germany were each other's largest trading partner.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.